I have a Centos 7 machine with FirewallD, and net.ipv4.conf.icmp_echo_ignore_all is set to 0. I'm seeking for some firewall configs to disable ping replies to external IP addresses, but allow some IP blocks (like 192.168.1.0/24, 10.0.0.0/8 etc.) to get ping replies.
How can I do that?
Here is a solution with iptables
[root@ttucker ~]# iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -p ICMP --icmp-type 8 -j ACCEPT
[root@ttucker ~]# iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -p ICMP --icmp-type 8 -j ACCEPT
[root@ttucker ~]# iptables -A INPUT -p ICMP --icmp-type 8 -j DROP
Here is what it should look like after wards:
[root@ttucker ~]# iptables -v -n -L INPUT | grep icmp
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.0.0-192.168.255.255 icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 10.0.0.0-10.255.255.255 icmptype 8
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Iptables works by evaluating the rules it has in order from top to bottom on a given chain. In this instance it is the INPUT chain. When iptables finds a rule which matches it's conditions, it takes the action specified in -j.
So, in this example, we are stating that if the source is from 10.0.0.0/8 or 192.168.0.0/16, the action is ACCEPT. If the source address is not in that range then it hits the third rule which states to DROP.
Note: you also need to make sure that you currently don't have any current rules which accept all ICMP traffic that are prior to these rules.
The -A INPUT means to append to the INPUT chain. So, you first want to list the entire input chain and delete any other ICMP rules which exist there.
Here is how to list the INPUT chain rules:
iptables -v -n -L INPUT
Please let me know if this works for you or if you have any additional questions.
